Login security for a form

D

David W. Simmonds

I have a form that will prompt for a user name/password. In VS.NET, I have
the protected form in a folder named Admin. I have a Web.config file in that
folder as well. It contains the following section:

<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

In the root folder where the other forms are located I have a Web.config
file with the following section:

<authentication mode="Forms">
<forms loginUrl="LoginPage.aspx?DB=Photos" timeout="10080" />
</authentication>

In LoginPage.aspx, I have a user name and password edit box and a Login
button. When clicked it executes the following code:

private void Login_Click(object sender, System.EventArgs e)
{
if (Authenticated (UserName.Text, Password.Text))
{
string userData = "";
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
UserName.Text,
System.DateTime.Now,
System.DateTime.Now.AddMinutes(30),
Persistent.Checked,
userData,
FormsAuthentication.FormsCookiePath);

// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);

// Create the cookie.
Response.Cookies.Add(new
HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
Response.Redirect (FormsAuthentication.GetRedirectUrl(UserName.Text,
Persistent.Checked));
}
else
Message("Invalid login");
}

If I specify an invalid login combination, the Message statement executes.
This is good. If I specify a good combination, the form never moves from the
login page. The forms are running in a frame on the page that presents them.
Why would the page not be redirected when authentication is valid?
 
D

David W. Simmonds

More info:

It appears the the url obtained from FormsAuthentication.GetRedirectUrl is
not a fully qualified url. It is a relative url. Is there a way for fully
qualify it? If I put http://www.microsoft.com in the Response.Redirect
method, the redirect occurs.
 
D

David W. Simmonds

Even more info:

It seems that the Redirect is working fine, but it is redirecting back to
the login page even though the url does not contain LoginPage.aspx. It
contains the url to the aspx page that is in the protected folder. Now I
really don't know what is happening now. It's as if the authentication
succeeds, but it redirects me back to the same login page anyway.
 
J

Jen

If its redirecting to the login page it sounds like either the cookie
isn't persisting properly or the login isn't successful.

Can I ask why you have two web.config files? I thought (and I could
be wrong) that a Web Application has only one web.config file that it
loads up when running so am a little unclear about why you have the
second one. If you want a timeout value - you would set that on the
cookie you create.

I have this in my web.config file:

<authentication mode="Forms">
<forms name="demoReport"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>

I set the start page to be report.aspx and when I run it it send me to
login.aspx to authenticate me. I'm actually authenticating against
active directory in a custom method but my code for the ticket is:

if (sec.authenticateUser(txtUsername.Text.Trim(),
txtPassword.Text.Trim(), "Domain"))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(txtUsername.Text.Trim(),
cbPersistCookie.Checked, 30);

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

// Redirect to requested URL, or homepage if no previous page
// requested
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "/";

// Don't call FormsAuthentication.RedirectFromLoginPage since it
// could
// replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl);
}

and this works for me. Have you checked that the authenticated method
you're using is returning true (sorry to ask a stupid question).

Hope this helps!! I've only just got this working so am pretty
excited about it :)

Jen
(e-mail address removed)
 
D

David W. Simmonds

I have two. One resides in a "protected" folder. Any page in that folder
will use the web.config file and that file says to go to the loginpage.aspx.

Jen said:
If its redirecting to the login page it sounds like either the cookie
isn't persisting properly or the login isn't successful.

Can I ask why you have two web.config files? I thought (and I could
be wrong) that a Web Application has only one web.config file that it
loads up when running so am a little unclear about why you have the
second one. If you want a timeout value - you would set that on the
cookie you create.

I have this in my web.config file:

<authentication mode="Forms">
<forms name="demoReport"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>

I set the start page to be report.aspx and when I run it it send me to
login.aspx to authenticate me. I'm actually authenticating against
active directory in a custom method but my code for the ticket is:

if (sec.authenticateUser(txtUsername.Text.Trim(),
txtPassword.Text.Trim(), "Domain"))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(txtUsername.Text.Trim(),
cbPersistCookie.Checked, 30);

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

// Redirect to requested URL, or homepage if no previous page
// requested
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "/";

// Don't call FormsAuthentication.RedirectFromLoginPage since it
// could
// replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl);
}

and this works for me. Have you checked that the authenticated method
you're using is returning true (sorry to ask a stupid question).

Hope this helps!! I've only just got this working so am pretty
excited about it :)

Jen
(e-mail address removed)

"David W. Simmonds" <[email protected]> wrote in message
Even more info:

It seems that the Redirect is working fine, but it is redirecting back to
the login page even though the url does not contain LoginPage.aspx. It
contains the url to the aspx page that is in the protected folder. Now I
really don't know what is happening now. It's as if the authentication
succeeds, but it redirects me back to the same login page anyway.

I
have in
that from
the presents
them.
Click to expand...
Click to expand...
 
D

David W. Simmonds

The authentication is working fine. If I put http://www.microsoft.com into
the redirect method, it redirects everytime.

Also, as far as the multiple web.config files, some of my web pages do not
require authentication. It's only the administrative pages that do. They are
put into another folder with another web.config file. Then the login page
runs for them.

If I change my Privacy settings (Tools -> Internet Options -> Privacy) to
Low or Accept All Cookies, then everything works fine. Is there something I
can do to leave it at Medium?

Jen said:
If its redirecting to the login page it sounds like either the cookie
isn't persisting properly or the login isn't successful.

Can I ask why you have two web.config files? I thought (and I could
be wrong) that a Web Application has only one web.config file that it
loads up when running so am a little unclear about why you have the
second one. If you want a timeout value - you would set that on the
cookie you create.

I have this in my web.config file:

<authentication mode="Forms">
<forms name="demoReport"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>

I set the start page to be report.aspx and when I run it it send me to
login.aspx to authenticate me. I'm actually authenticating against
active directory in a custom method but my code for the ticket is:

if (sec.authenticateUser(txtUsername.Text.Trim(),
txtPassword.Text.Trim(), "Domain"))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(txtUsername.Text.Trim(),
cbPersistCookie.Checked, 30);

// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket

// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);

// Redirect to requested URL, or homepage if no previous page
// requested
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "/";

// Don't call FormsAuthentication.RedirectFromLoginPage since it
// could
// replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl);
}

and this works for me. Have you checked that the authenticated method
you're using is returning true (sorry to ask a stupid question).

Hope this helps!! I've only just got this working so am pretty
excited about it :)

Jen
(e-mail address removed)

"David W. Simmonds" <[email protected]> wrote in message
Even more info:

It seems that the Redirect is working fine, but it is redirecting back to
the login page even though the url does not contain LoginPage.aspx. It
contains the url to the aspx page that is in the protected folder. Now I
really don't know what is happening now. It's as if the authentication
succeeds, but it redirects me back to the same login page anyway.

I
have in
that from
the presents
them.
Click to expand...
Click to expand...
 
S

Steven Cheng[MSFT]

Hi David,


Thanks for posting in the community!
From your description, you used FormsAuthentication in its Asp.net web
application, you found when the user has been authenticated and call the
Response.Redirect(FormsAuthentication.GetRedirectUrl..) to redirect
user to the fomer requested page, it didn't work, the user is still
redirect back to the login page, yes?
If there is anything I misunderstood, please feel free to let me know.

I've viewed the other messages in this thread and as you mentioned that it
works ok when you turned the IE's cookie privacy to "low" or allow all
cookie, yes? So I suspect that the problem is due to the Authentication
cookie is failed to be store in clientside. That means thought the user has
been authenticated , his authentication cookie(the token) hasn't been
stored into client's cookie that's why when he is still redirect to login
page after authenticated. To confirm it , would you please try out the
following items:(let the browser's cookie privacy as meduim by default)
1. Try manually redirecting the user to a protected page(via hard code url
address rather than get via GetRedirectUrl method) after setting the
authenticate cookie to see whether the problem still remains.

2. Try using the FormsAuthentication.RedirectFromLoginPage to see whether
this works.

3. If all the above not work, I think you may have a check to see whether
the authentication cookie is correctly store to the client. Turn on the
page's trace and check the Request and Response's cookie collection
,whether the Authenctiona cookie is in cookie collecdtion.

4. Also, try add a normal cookie variable into the response.cookies
collecdtion and then retrieve it again in another page to see whether
normal cookie can work well.

Please try out the above items. If you got any progresses, please feel free
to post here.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx
 
D

David W. Simmonds

I used this code instead:

private void Login_Click(object sender, System.EventArgs e)
{
if (Authenticated (UserName.Text, Password.Text))
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(UserName.Text, Persistent.Checked, 20);
string strEncrypted = FormsAuthentication.Encrypt(ticket);
string strURL = FormsAuthentication.GetRedirectUrl(UserName.Text,
Persistent.Checked);
if (strURL.IndexOf("?") == -1)
{
strURL += "?" + FormsAuthentication.FormsCookieName + "=" +
strEncrypted;
}
else
{
strURL += "&" + FormsAuthentication.FormsCookieName + "=" +
strEncrypted;
}
Response.Redirect(strURL);
}
else
Message("Invalid login");
}

Now it doesn't matter what the Privacy setting is.
 
S

Steven Cheng[MSFT]

Hi David,


Thanks for your followup. From the code you provided in the last reply,
you're using cookieless FormAuthentication now, store the Authentication
token in url querystring rather than in client cookie? But I think the
former problem we meet still remains on the cookie, have you tried out the
suggestions in my last reply? Please try them out and let me know if you
need any further help. Thanks.



Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx
 
D

David W. Simmonds

Ok, I did steps 1 and 2. All that happens is that it just goes back to the
login page.

I am unclear as to how to do steps 3 and 4. Please advise.
 
D

David W. Simmonds

I turned on Trace in the Login page. Here is what I saw:

ASP.NET_SessionId axoagw55qmcq5l55m5ctskfp 42


Then I added the "testcookie" bit into another page, turned the trace on it
as well. I saw this in that page.

ASP.NET_SessionId f5utpgfelv2ndh45zooqsk55 42
testcookie testcookie_value 27


Then I went back to the Login page and all I saw was the ASP.NET_SessionId.
I don't understand what I am seeing though.
 
S

Steven Cheng[MSFT]

Hi David,

Thanks for your reply. From your test result. It seems that your
application is ok to write normal cookie onto the client side machine(for
you have seen the "ASPNET_SessionID" cookie in the trace report). Then, if
you turn on the FormsAuthentication, do you see another cookie in the
Cookie collection? Its name is the same as you set in the
machien.config such as
<forms name=".ASPNET_FORM_NAME" .....>

If not, the problem why Formauthentication failed when store token in
cookie may be something with the Web Application's cookie privacy setting.
In IE 6 under default privacy policy(meduim) all third party cookies that
do not have a compact policy are blocked. If your asp.net web application
is in a different domain
from the page the contains the iframe, it is considered as third party
context and the cookie is blocked. Since the cookie is not set you are
always redirected to the login page.
Do your pages set in a frame or iframe? Or you may try creating a very
simple web app which just has two pages , one login page, another protected
page and using FormsAuthentication, if this application can work well with
cookiebased formauthentication, I think the problem is focus on your
application (it may contains some third-party cookie like behavior ).
If this does be the cause of the problem, you need to allow the third party
cookies you need to develop a compact
policy.

Here are some kb articles on the IE cookie privacy setting and IIS
third-party cookie policy setting, you may have a look if you feel
necessary:

#HOW TO: Configure IIS To Use Platform for Privacy Preferences (P3P)
http://support.microsoft.com/?id=324013

Also, there has the weblinks to some other web reference such as on

#The Default Privacy Settings for Internet Explorer 6
http://support.microsoft.com/?id=293222

"how to create the full privacy policy, policy reference, and compact codes"
http://www.w3.org/P3P

and "information about full privacy policy, policy reference, and compact
codes"
http://msdn.microsoft.com/library/default.asp?url=/workshop/security/privacy
/overview/createprivacypolicy.asp



Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to add FormsAuthenticationTicket to URL 1
Thread was being aborted 6
Session times out in less time than I set 9
Forms Authentication with UserData Problem 1
Strange Role-Based authentication problem! 5
ASP.NET web.config MSDN Example 6
:o( .... Client not redirected to login page. 5
Form-based Authentication 2

Top